Implementing NTS options

[Gary E. Miller]

Yo Hal!

On Sat, 02 Feb 2019 01:44:31 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> >>*tls1.2* Allow TLS1.2 connection.
> >>*tls1.3* Allow TLS1.3 connection.  
> > Second, why would you ever want one of these allow bits off?  I
> > want to hear a good story here not just to convince me that they're
> > worth the complexity but so it can go in the documentation.   
> 
> From the draft:
> 
> Implementations MUST NOT negotiate TLS versions earlier than 1.2,
> SHOULD negotiate TLS 1.3 [RFC8446] or later when possible, and MAY
> refuse to negotiate any TLS version which has been superseded by a
> later supported version.
> 
> --------
> 
> I assume the default would be no for TLS 1.2 and yes for TLS 1.3

Except 1.3 not working yet.

> Should we be specifying min version rather than allowing various
> versions?

No.  That was done in the SSL days and failed when TLS superceded SSL.
This will happen again.  Soon.

The Proposed RFC envisions rapid change of versions, more rapid than
RFCs change.  We need to as well.

> Do we need a way to test 1.2?

Do we need to test anything?  Hell yes.  Test everything.

>  Maybe we can wait until we find a box
> that doesn't support 1.3 yet.

All around you.  As previously discussed: Gentoo, and anything like
RHEL, Android or Windows that gets infrequent updates.  Even the most
recent OS don't really support TLS 1.3

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/ecac0a77/attachment.bin>